VDB

HCSEC-2025-12

HCSEC-2025-12 PUBLISHED

**Bulletin ID:** HCSEC-2025-12 **Affected Products / Versions:** Nomad Community Edition from 1.4.0 up to 1.10.1, fixed in 1.10.2. Nomad Enterprise from 1.4.0 up to 1.10.1, 1.9.9, 1.8.13, fixed in 1.10.2, 1.9.10, and 1.8.14. **Publication Date:** June 11, 2025 **Summary** Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14. **Background** Nomad provides an optional [Access Control List (ACL) system](https://developer.hashicorp.com/nomad/tutorials/access-control/access-control-policies) which can be used to control access to data and APIs. The [ACL system](https://developer.hashicorp.com/nomad/tutorials/access-control/access-control) is capability-based, relying on tokens which are associated with policies to determine which fine grained rules can be applied. [ACL Policies](https://developer.hashicorp.com/nomad/tutorials/access-control/access-control#acl-policies) consist of a set of rules defining the capabilities or actions to be granted. **Details** It was discovered that getting ACL policies by job would perform a prefix-based lookup on the index which could result in policies being applied incorrectly causing unintentional policy rule shadowing. An attacker with the proper access could create a new job with a prefixed name (e.g: test-job-2) to inherit the same ACL policies as an already existing job (e.g: test-job). This could allow running privileged jobs without explicitly configuring a new policy. **Remediation** Customers should evaluate the risk associated with this issue and consider upgrading to Nomad 1.10.2, 1.9.10, 1.8.14, or newer. **Acknowledgement** This issue was identified by HashiCorp‘s Nomad engineering teams. *We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see [https://hashicorp.com/security](https://hashicorp.com/security).*

Timeline

  • Jun 11, 2025 CVE Published
Open in Interactive Console →
$ Console Community · 100/wk Open console ›